But here’s the thing…
That’s what we’ll cover in this post.
Let’s dive in…
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is the only federal law that governs online privacy in the United States, and it is one of the oldest online privacy laws on the books (it was passed in 1998).
But COPPA is fairly limited. Its primary goal is to ensure that parents have control over the information collected about their young children by websites. Specifically, COPPA provides that websites are not allowed to collect personal information from individuals younger than 13 years old without first obtaining direct, verified consent from their parents to collect that information.
If you’ve ever wondered why sites like Roblox ask if the user is younger than 13… COPPA is the reason! Under COPPA, a parent needs to be the one who initially signs the child up and who consents to the collection of information.
If you are building a website or other online platform that is directed to children younger than 13, you should consult with a privacy law expert to craft the right policies and procedures to ensure you’re complying with COPPA. That’s beyond the scope of this post.
Later in this post, we’ll be talking about how websites that are NOT specifically intended for young children need to address COPPA compliance.
You may have heard of a more recent law called the California Consumer Privacy Act (CCPA), but that law only applies to you if your revenue is more than $25 million, you’re collecting information from more than 50,000 California residents a year, or you are a data broker who collects and then sells information. So… I’m guessing it doesn’t apply to YOU!
The General Data Protection Regulation
Finally, let’s talk about the General Data Protection Regulation (GDPR), which is the EU’s privacy law that went into effect on May 25, 2018, and explaining its complexities is actually one of the things that first brought me to prominence in the online world.
The GDPR provides that the disclosure should use plain language so readers can easily understand what is happening with their data.
Among other things, the GDPR requires us to tell people what information we’re collecting, how we’re collecting it, our legal basis for collecting it, what we’ll do with it once it’s collected, and who we share it with.
The GDPR also requires you to inform visitors of certain rights that they have when it comes to their data. Think of it as something like the Miranda warnings that police officers are required to give… only you’re the one who has to provide the warnings.
Start With An Introductory Section
Here’s our intro section:
Address Children Under 13 Using Your Site
Assuming that your site isn’t intended for children under 13, you’ll want to include a provision saying as much… but also including a way for parents to contact you to request deletion of any information their children might share.
Outline The Information You Collect
You’ll want to craft multiple sections that fall under this general definition, starting with a broad explanation like this:
You can also get more specific in the first section and lay out the particular types of information you collect (e.g., names, emails, addresses, etc.).
Beyond the general statement, you’ll want to include a cookie disclosure so that people understand you are using cookies and tracking pixels. Here’s an example:
The last paragraph in that section addresses CalOPPA’s requirement that you inform visitors how you’ll respond to do not track requests set on visitors’ web browser. The default is to not respond to them.
Finally, you should include a section that covers how you handle information that people send you via email (or through any forms on the website):
Taken together, these clauses will cover your bases when it comes to describing the information you collect from people.
Explain Why You Collect The Information And How You’ll Use It
Once you’ve explained what information you’ll collect, it’s time to explain why the heck you’re collecting it. Both CalOPPA and the GDPR have provisions that are implicated here.
To meet the requirements, you need to explain the purpose for collecting and using the information (the why), how you’ll use it, and a legitimate reason for you to be collecting it in the first place.
There are multiple reasons you might be collecting the information, including:
- To deliver a good or service
- To track preferences so you can deliver a better experience later
- Fulfilling contractual duties
- To send further marketing information to the user
That section is largely about explaining the motivation for collecting information… but you also need a section explaining how you use it once it has been collected. Here’s how we handle that:
Explain Who You Will Share The Information With
Next up, you need to explain who (outside your company) may have access to the information people share with you.
Many people default to saying that they won’t share the information with anyone… but that is not true. You will almost certainly be sharing information with third-party service providers who are helping you in your business.
Moreover, you’ll want to leave room to share the information in certain legal contexts (e.g., a lawsuit against a customer, if you sell the company, or if you are required by law to do so).
Here’s how we have addressed this disclosure requirement:
We crafted this section very carefully to simultaneously give people confidence that we aren’t going to be sharing their information willy-nilly while also protecting our backside if we need to share it for a legitimate reason.
Explain EU Visitors’ Rights Under The GDPR
Don’t Forget These Odds-And-Ends
These sections aren’t hard to write… but don’t forget them.
But, I wouldn’t recommend it. That is NOT a good use of your time.
Just answer some questions, and our system will create your custom policy. You’ll also get a Google Doc version of the template that you can use to customize the agreement if you want to do it yourself.